[Snyk] Security upgrade org.apache.logging.log4j:log4j-core from 2.14.1 to 2.25.3 by weinrich15 · Pull Request #51 · LegitAJ/JavaVulnerableLab

weinrich15 · 2025-12-21T09:29:58Z

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Improper Validation of Certificate with Host Mismatch SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	601	org.apache.logging.log4j:log4j-core: `2.14.1` -> `2.25.3` `No Known Exploit`

Important

Check the changes in this PR to ensure they won't cause issues with your project.
Max score is 1000. Note that the real score may have changed since the PR was raised.
This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782

weinrich15 · 2025-12-21T09:33:18Z

Checkmarx One – Scan Summary & Details – a9a00257-9ee1-4ee4-87c9-04579ce87c7a

New Issues (166)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
S3 Bucket Allows Delete Action From All Principals	/s3_with_all_permissions.tf: 5	details S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized... `ID: j6z7Nppuf3vonyn6ZDSKClAqRBE%3D`
CVE-2019-14888	Maven-io.undertow:undertow-core-2.0.9.Final	details Recommended version: 2.2.38.Final Description: A vulnerability was found in the Undertow HTTP server in versions through 2.0.28.SP1-redhat-00001, version 2.0.28.Final-redhat-00001, and version 2... Attack Vector: NETWORK Attack Complexity: LOW `ID: 2E8MJG7hAu%2FXIxQOhGeylvMS63MzC%2Fj4QenEPFedZbQ%3D` Vulnerable Package
CVE-2023-1973	Maven-io.undertow:undertow-core-2.0.9.Final	details Recommended version: 2.2.38.Final Description: A flaw was found in Undertow package. Using the "FormAuthenticationMechanism", a malicious user could trigger a Denial of Service by sending crafte... Attack Vector: NETWORK Attack Complexity: LOW `ID: gt8F6XKxwekRBqucju8YevufvnmmZvoPzxiIXJ%2ByCjk%3D` Vulnerable Package
CVE-2023-22102	Maven-mysql:mysql-connector-java-5.1.26	details Description: Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). The affected versions are through 8.1.0. The difficult-to-e... Attack Vector: NETWORK Attack Complexity: HIGH `ID: 52Pjkzybdh968AHqMgYJBdIfNncDmcfAjJCyW%2BwZjC4%3D` Vulnerable Package
CVE-2023-3223	Maven-io.undertow:undertow-core-2.0.9.Final	details Recommended version: 2.2.38.Final Description: A flaw was found in undertow versions through 2.2.26.Final, and 2.3.0.Alpha1 through 2.3.8.Final. Servlets annotated with '@MultipartConfig' may ca... Attack Vector: NETWORK Attack Complexity: LOW `ID: 0zCycYGyGhMZ7gy2SpvqgOxjMOzXXUWEuVpHXroDksg%3D` Vulnerable Package
CVE-2023-4639	Maven-io.undertow:undertow-core-2.0.9.Final	details Recommended version: 2.2.38.Final Description: A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allo... Attack Vector: NETWORK Attack Complexity: HIGH `ID: OIRFB2NLbRHiyPlcqLMB%2Fi76lRQHg52h%2BeoaExCbCEA%3D` Vulnerable Package
CVE-2024-1635	Maven-io.undertow:undertow-core-2.0.9.Final	details Recommended version: 2.2.38.Final Description: A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious use... Attack Vector: NETWORK Attack Complexity: LOW `ID: BM9yF5gPtqkPb%2B%2B7Sa8r6PEtW7IPpxujpnTDJw8X6%2Fg%3D` Vulnerable Package
CVE-2024-38286	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	details Recommended version: 9.0.108 Description: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat versions 9.0.13 through 9.0.8... Attack Vector: NETWORK Attack Complexity: LOW `ID: m3vt3NDdwOaHJOditBB8wD2dP1%2F4kLUD9UIZxKAfqRg%3D` Vulnerable Package
CVE-2024-7885	Maven-io.undertow:undertow-core-2.0.9.Final	details Recommended version: 2.2.38.Final Description: A vulnerability was found in Undertow where the "ProxyProtocolReadListener" reuses the same "StringBuilder" instance across multiple requests. This... Attack Vector: NETWORK Attack Complexity: LOW `ID: Bklozq2%2Fhg5hiXVfKOV0kQmQZz6I7YUWAuxbhi3mWMo%3D` Vulnerable Package
CVE-2025-41249	Maven-org.springframework:spring-core-5.0.4.RELEASE	details Recommended version: 6.2.11 Description: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized s... Attack Vector: NETWORK Attack Complexity: LOW `ID: GvwEH93BiV0KOEqxy4iiWAGr3PA2DIiYZZxZs9uuLfs%3D` Vulnerable Package
CVE-2025-48989	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	details Recommended version: 9.0.108 Description: Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache... Attack Vector: NETWORK Attack Complexity: LOW `ID: K91KZlC3h7uz5bOpKxFr5CFbg4sar8XJiatqW2vkEH4%3D` Vulnerable Package
CVE-2025-52434	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	details Recommended version: 9.0.108 Description: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Nativ... Attack Vector: NETWORK Attack Complexity: LOW `ID: x%2BQx8OXm9E0ZPITrbjWD5JA7OnuXId3xmjdnWqmzwQU%3D` Vulnerable Package
CVE-2025-53506	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	details Recommended version: 9.0.108 Description: Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces th... Attack Vector: NETWORK Attack Complexity: LOW `ID: MG4qF%2FU0HHI2%2FjtigiFtAAl9SCM3FhRkYrmDL%2FGlzlM%3D` Vulnerable Package
CVE-2025-9784	Maven-io.undertow:undertow-core-2.0.9.Final	details Recommended version: 2.2.38.Final Description: A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, r... Attack Vector: NETWORK Attack Complexity: LOW `ID: bm0emnGV80E7MX7e7wWUy6xjKPWlF1%2FfUg64l3CnWXU%3D` Vulnerable Package
Client_DOM_XSS_from_AJAX	/src/main/webapp/vulnerability/Injection/xxe.jsp: 12	details The method Cx52c852a2 embeds untrusted data in generated output with html, at line 13 of /src/main/webapp/vulnerability/Injection/xxe.jsp. This u... `ID: OL%2FuIfq7JN5kwqO%2BISwvOqjjIE4%3D` Attack Vector
Reflected_XSS	/src/main/java/org/cysecurity/cspf/jvl/controller/xxe.java: 44	details The method processRequest embeds untrusted data in generated output with print, at line 54 of /src/main/java/org/cysecurity/cspf/jvl/controller/xxe... `ID: 81ePHxAl963YeuIaQTZO1ghhkls%3D` Attack Vector
Reflected_XSS	/src/main/webapp/login.jsp: 7	details The method login embeds untrusted data in generated output with password, at line 23 of /src/main/webapp/login.jsp. This untrusted data is embedd... `ID: O5PWZKI72b3RTXHWRKS%2Fj%2FDdlKI%3D` Attack Vector
Reflected_XSS	/src/main/webapp/login.jsp: 7	details The method login embeds untrusted data in generated output with username, at line 22 of /src/main/webapp/login.jsp. This untrusted data is embedd... `ID: eoEWtIDC9NGuOnWwX7qRjXMUvkY%3D` Attack Vector
Reflected_XSS	/src/main/webapp/vulnerability/UserDetails.jsp: 8	details The method UserDetails embeds untrusted data in generated output with print, at line 23 of /src/main/webapp/vulnerability/UserDetails.jsp. This u... `ID: fOULi9c%2BrImvijtxMLsfHV5xcGk%3D` Attack Vector
Reflected_XSS	/src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java: 39	details The method processRequest embeds untrusted data in generated output with print, at line 55 of /src/main/java/org/cysecurity/cspf/jvl/controller/Add... `ID: jmZX2sk2riL%2FlCaQ8jTTZfqCkJ4%3D` Attack Vector
Reflected_XSS	/src/main/webapp/vulnerability/xss/search.jsp: 16	details The method search embeds untrusted data in generated output with searchedName, at line 21 of /src/main/webapp/vulnerability/xss/search.jsp. This ... `ID: C40piGgsAAJKrQQtXF%2FG8K1bnJg%3D` Attack Vector
Reflected_XSS	/src/main/webapp/vulnerability/xss/xss4.jsp: 2	details The method xss4 embeds untrusted data in generated output with print, at line 6 of /src/main/webapp/vulnerability/xss/xss4.jsp. This untrusted da... `ID: %2BgqOBRxeLA1gSb%2B9SkLzopjzgbk%3D` Attack Vector
Reflected_XSS	/src/main/webapp/vulnerability/xss/xss4.jsp: 2	details The method xss4 embeds untrusted data in generated output with keyword, at line 15 of /src/main/webapp/vulnerability/xss/xss4.jsp. This untrusted... `ID: QKQlljGMqct5efj3ESQVNUHiy94%3D` Attack Vector
Reflected_XSS	/src/main/webapp/login.jsp: 26	details The method login embeds untrusted data in generated output with print, at line 26 of /src/main/webapp/login.jsp. This untrusted data is embedded ... `ID: zcoi4mRUyQIYmLzmT9E8B%2F3TGGA%3D` Attack Vector
Reflected_XSS	/src/main/webapp/vulnerability/SendMessage.jsp: 18	details The method SendMessage embeds untrusted data in generated output with print, at line 18 of /src/main/webapp/vulnerability/SendMessage.jsp. This u... `ID: wN2U5sVWALig4gXZnC39fXLbnog%3D` Attack Vector
Reflected_XSS	/src/main/webapp/vulnerability/SendMessage.jsp: 11	details The method SendMessage embeds untrusted data in generated output with print, at line 11 of /src/main/webapp/vulnerability/SendMessage.jsp. This u... `ID: KSW3GemK%2FoBPFbPxG%2FV5l4NYyUs%3D` Attack Vector
Reflected_XSS	/src/main/webapp/vulnerability/Injection/xpath_login.jsp: 9	details The method xpath_login embeds untrusted data in generated output with print, at line 9 of /src/main/webapp/vulnerability/Injection/xpath_login.j... `ID: ECODpGA4VsUiVFhlmgM3UcIsI3Y%3D` Attack Vector
Reflected_XSS	/src/main/webapp/admin/adminlogin.jsp: 68	details The method adminlogin embeds untrusted data in generated output with print, at line 68 of /src/main/webapp/admin/adminlogin.jsp. This untrusted d... `ID: 2icr8P1aDr7cnb1Y9iNo0LY7nII%3D` Attack Vector
Relative_Path_Traversal	/src/main/webapp/vulnerability/idor/download.jsp: 11	details Method download at line 11 of /src/main/webapp/vulnerability/idor/download.jsp gets dynamic data from the ""file"" element. This element’s value ... `ID: WHIEYcy1WD6cmZVJVebMawkwWwM%3D` Attack Vector
Relative_Path_Traversal	/src/main/webapp/vulnerability/sqli/download_id.jsp: 18	details Method download_id at line 18 of /src/main/webapp/vulnerability/sqli/download_id.jsp gets dynamic data from the ""fileid"" element. This elemen... `ID: UBFqd5%2Fcw8JYTh%2FvTEzbp2TMhI0%3D` Attack Vector
Relative_Path_Traversal	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 18	details Method download_id_union at line 18 of /src/main/webapp/vulnerability/sqli/download_id_union.jsp gets dynamic data from the ""fileid"" element... `ID: Ya%2Bf2WhEH%2FH5sCAyB8J1HydRVpo%3D` Attack Vector
Relative_Path_Traversal	/src/main/webapp/vulnerability/sqli/download_id.jsp: 18	details Method download_id at line 18 of /src/main/webapp/vulnerability/sqli/download_id.jsp gets dynamic data from the ""fileid"" element. This elemen... `ID: R%2BKfDe0Vi6KhF0swmP1miHXfYuI%3D` Attack Vector
Relative_Path_Traversal	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 18	details Method download_id_union at line 18 of /src/main/webapp/vulnerability/sqli/download_id_union.jsp gets dynamic data from the ""fileid"" element... `ID: zacjsqVHjC5GMQZMR7nxKYwoNlY%3D` Attack Vector
Relative_Path_Traversal	/src/main/java/org/cysecurity/cspf/jvl/controller/ForwardMe.java: 39	details Method processRequest at line 39 of /src/main/java/org/cysecurity/cspf/jvl/controller/ForwardMe.java gets dynamic data from the ""location"" eleme... `ID: wvkqKWjDNDbw187L2AzXZFnE%2B%2Bs%3D` Attack Vector
Relative_Path_Traversal	/src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java: 39	details Method processRequest at line 39 of /src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java gets dynamic data from the ""filename"" element... `ID: PQnbffWLNGTREAvMZlluKt2kQMg%3D` Attack Vector
Remote Desktop Port Open To Internet	/AJP_Open_Port.tf: 6	details The Remote Desktop port is open to the internet in a Security Group `ID: TXOhkkvfKVqFWDmsBau36zN62xA%3D`

More results are available on the CxOne platform

Fixed Issues (65)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2016-10707~~	Npm-jquery-1.6.4
	~~CVE-2018-1272~~	Maven-org.springframework:spring-core-5.0.4.RELEASE
	~~CVE-2021-44228~~	Maven-org.apache.logging.log4j:log4j-core-2.14.1
	~~CVE-2021-45046~~	Maven-org.apache.logging.log4j:log4j-core-2.14.1
	~~Client_DOM_Stored_XSS~~	/src/main/webapp/vulnerability/Injection/xxe.jsp: 12
	~~Client_DOM_Stored_XSS~~	/src/main/webapp/vulnerability/Injection/xxe.jsp: 15
	~~Remote Desktop Port Open To Internet~~	/AJP_Open_Port.tf: 1
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Sensitive Port Is Exposed To Entire Network~~	/AJP_Open_Port.tf: 6
	~~Unknown Port Exposed To Internet~~	/AJP_Open_Port.tf: 11
	~~Unrestricted Security Group Ingress~~	/AJP_Open_Port.tf: 11
	~~CVE-2020-11022~~	Npm-jquery-1.6.4
	~~CVE-2021-44832~~	Maven-org.apache.logging.log4j:log4j-core-2.14.1
	~~CVE-2021-45105~~	Maven-org.apache.logging.log4j:log4j-core-2.14.1
	~~CVE-2022-22971~~	Maven-org.springframework:spring-core-5.0.4.RELEASE
	~~CVE-2023-34055~~	Maven-org.springframework.boot:spring-boot-2.0.0.RELEASE
	~~HTTP Port Open To Internet~~	/AJP_Open_Port.tf: 1
	~~SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible~~	/AJP_Open_Port.tf: 6
	~~Security Group With Unrestricted Access To SSH~~	/AJP_Open_Port.tf: 11
	~~S3 Bucket Without Enabled MFA Delete~~	/s3_with_all_permissions.tf: 1
	~~S3 Bucket Without Enabled MFA Delete~~	/Unsecure_Storage_of_Encryption_Key.tf: 1
	~~S3 Bucket Without Enabled MFA Delete~~	/s3.tf: 1
	~~Use_Of_Hardcoded_Password_In_Config~~	/src/main/webapp/WEB-INF/config.properties: 6

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

fix: pom.xml to reduce vulnerabilities

0d38f7e

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

[Snyk] Security upgrade org.apache.logging.log4j:log4j-core from 2.14.1 to 2.25.3#51

[Snyk] Security upgrade org.apache.logging.log4j:log4j-core from 2.14.1 to 2.25.3#51
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-d9f3eee7294c9d06a268647f1a392f33

weinrich15 commented Dec 21, 2025

Uh oh!

weinrich15 commented Dec 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

Conversation

weinrich15 commented Dec 21, 2025

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

Vulnerabilities that will be fixed with an upgrade:

Uh oh!

weinrich15 commented Dec 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants